Apple gives in to the bug bounty program

Appleseeks better product disclosure with the launching of its new bug bounty program. The company announced the initiative yesterday at the Black Hat security conference in Las Vegas after a history of reluctance to enable external researchers to find flaws in Apple’s iPhones and other software.

The program will start by allowing only a few selected exploit experts to join with an invitation-only system, and eventually, it will give rewards to any submitter that finds a significant vulnerability within Apple´s latest hardware and iOS.

Public bug bounty programs have proven to be effective over time. But in some cases, the downsides for such practice can be dangerous, according to CEO of information security firm Securosis, Rich Mogull.

Apple’s bug bounty is scheduled to begin in September and hand payouts up to $200,000.

The more sensitive the bug, the higher the bounty

The bug bounty program’s first phase consists of five categories involving major exploits, such as data extraction of arbitrary code or the Secure Enclave – valued at $50,000 and $100,000 each.

Unauthorized access to iCloud account data ($50,000), escaping a sandbox process ($25,000), and any vulnerabilities that could affect the secure boot firmware components, an endeavor that offers the $200,000 reward.

Apple has also announced that bounties would double if submitters donate their rewards to charity.